Being vulnerable is not comfortable. And having a stranger tell you that you are vulnerable, in a way you had not even thought of, can be scary. But when it comes to vulnerabilities in the website you are looking after, a panic response is not helpful.
It is very hard, for even the best web developers, to make a website that does not have any vulnerabilities. Hackers keep coming up with new approaches, so a website that was thought to be secure when it was developed may become insecure when a new approach to hacking is developed.
Some of the people who attack websites have criminal intentions. But there are also people who will try to hack a website out of sheer curiosity, or for the intellectual challenge. If they find a vulnerability, the best outcome for you is that they tell you about it, so you can fix it.
But often they do not know who to tell, and might be worried the website owner would try and punish them for their actions. Such incidents have occurred in New Zealand, for example, the Ecan bus fare card case in 2013.
To take the fear out of the situation, the New Zealand Internet Task Force (NZITF) has decided to encourage the adoption of responsible disclosure policies. NZITF members are the technically-minded people who help keep the Internet infrastructure in New Zealand safe. The idea of responsible disclosure has been around for a number of years, under various names including ‘coordinated disclosure’ or ‘responsible security disclosure’.
We think this is a sound approach, and have recently published our own Vulnerability Disclosure Policy. The idea is to assure anyone who notices a problem with our website that they can tell us without any likelihood of recrimination. We care about getting the security of our website right and we will listen. The policy also makes us publicly accountable that we will fix any such problems, because we accept that the person who found the problem can publish information about it.
We are not alone in thinking that being open to feedback is preferable to being defensive and hostile. Internationally, some large companies such as Google have equivalent policies. Other agencies in New Zealand that have published similar policies include the Domain Name Commission, New Zealand Registry Services, Signify and Sky.
For help in adopting a vulnerability disclosure policy for your organisation, I suggest you read the NZITF’s guidance on the subject.
Image credit: SDASM Archives via Creative Commons